Quality of Service to Over the Top Applications Used with VPN

ABSTRACT

Conventional quality of service (QoS) treatment is extended to over-the-top (OTT) applications transmitting data over a commercial wireless network via a virtual private network (VPN) tunnel. An over-the-top (OTT) application server and a VPN client/server routing data to/from that OTT application server via a VPN tunnel, are integrated with a quality of service (QoS) server to enable the OTT application server and/or VPN client/server to request and get desired QoS treatment for application data routed by the OTT application server over the VPN tunnel. The QoS server forwards QoS rules received in a QoS request message to a policy and charging rules function (PCRF) on the OTT application/VPN client devices&#39; home mobile network operator (MNO). If the client device is roaming, the PCRF on the home MNO forwards QoS rules to a PCRF on a serving MNO. QoS treatment is then carried out by the PCRF in a conventional manner.

The present invention is a continuation of U.S. application Ser. No. 14/056,412, filed Oct. 17, 2013, entitled “Quality of Service to Over the Top Applications Used with VPN”; which is a continuation-in-part of U.S. application Ser. No. 14/032,913, filed Sep. 20, 2013, entitled “Mechanisms For Quality of Service to Over the Top Applications For Use in Commercial Wireless Networks”; which claims priority from U.S. Provisional No. 61/714,944, filed Oct. 17, 2012, entitled “Mechanisms for Quality of Service to Over the Top Applications For Use In Commercial Wireless Networks”. The present application also claims priority from U.S. Provisional No. 61/815,976, filed Apr. 25, 2013, entitled “Quality of Service to Over the Top Applications Used with VPN”; and from U.S. Provisional No. 61/829,745, filed May 31, 2013, entitled “Quality of Service to Over the Top Applications Used with VPN”. The entirety of all four of these applications are expressly incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

This invention relates generally to Quality of Service (QoS) control for Virtual Private Network(s) (VPNs) established between smart phones and private networks (e.g., enterprise or agency intranet) over Long Term Evolution (LTE) commercial wireless networks. These VPN(s) may be used by smart phone applications to access data in the cloud in a secure manner and typically involve tunneling of original application IP packets in an encrypted fashion inside of an outer IP packet.

2. Background of Related Art

Verizon Wireless™ has recently become the first commercial service provider to fully launch a network with Long Term Evolution (LTE) 4G wireless broadband technology. Long Term Evolution (LTE) 4G wireless broadband technology is a recent technology that supports a fast and efficient all-Internet Protocol (IP) network (i.e., a network that provides services, e.g., voice, video, data, messaging, etc., solely over the Internet). It is expected that the majority of commercial service providers will also adopt an all-Internet Protocol (IP) network at some time in the near future.

As the future of technology gears toward an all-IP network, the number of available over-the-top (OTT) applications is expected to increase. An over-the-top (OTT) application is an application that uses a data channel provided by an Internet service provider (ISP) to connect to the Internet instead of using any special data handling features or network services offered thereby.

In accordance with conventional technology, over-the-top (OTT) application data is sometimes routed over a commercial wireless network via a virtual private network (VPN) tunnel (which involves the tunneling of original IP packets inside outer IP packets in an encrypted fashion). A virtual private network (VPN) tunnel provides additional transmission security to over-the-top (OTT) application data, which is especially helpful to over-the-top (OTT) applications that lack end-to-end encryption on their network connections.

Quality of service (QoS) refers to a set of performance characteristics by which a commercial wireless network is expected to convey data traffic to and from a client (quality of service (QoS) control mechanisms are applied to both the wireless and wireline components of a commercial network). Specific performance characteristics may include throughput (i.e. data quantity transmitted per unit time), latency (i.e. time delay between transmission and receipt of data), loss rate (i.e. frequency by which a commercial wireless network fails to deliver portions of transmitted data), jitter (i.e. a measure of variance of other characteristics), etc.

Currently, there exist several inherent limitations to the quality of service (QoS) treatment that a commercial wireless network is able to provide its' clients. For example, the maximum throughput that a commercial wireless network is able to provide across all clients is dependant on: a spectrum allocation held by the commercial wireless network, a backhaul infrastructure setup between cellular towers and fixed infrastructure within the commercial wireless network, the number of cellular towers in use within the commercial wireless network, the size of a footprint assigned to each cellular tower in use within the commercial wireless network, and any sources of electromagnetic interference within the commercial wireless network.

It is found that applications (e.g. smart phone applications) typically run better (i.e., perform more objective work per unit time and provide better user experience) when they are receiving a higher level of quality of service (QoS) treatment from a commercial wireless network as opposed to a lower level of quality of service (QoS) treatment. Consequently, many clients/service providers enter into contractual agreements with commercial wireless networks to ensure that they receive a data conveyance that is at-or-above a desired minimum performance level. For example, a commercial wireless network may agree (in exchange for monetary compensation) to provide a minimum of 12 kilobit/second throughput and a minimum of 0.1 second latency to a client user equipment (UE) that desires to receive real-time streaming video feed over that wireless network.

Commercial wireless networks use well-known internal techniques to ensure that contracted clients receive a pre-negotiated level of quality of service (QoS) treatment. For example, a network operator may delay transmitting data for one low-level quality of service (QoS) client to prioritize data transmission for another high-level quality of service (QoS) client. Likewise, a network operator may discard data packets transmitted to/from one low-level quality of service (QoS) client more frequently, to ensure data conveyance for another high-level quality of service (QoS) client.

Unfortunately, vendors of over-the-top (OTT) applications and associated data do not typically enter into contractual quality of service (QoS) agreements with commercial wireless networks (e.g. Long Term Evolution (LTE) networks). Therefore, over-the-top (OTT) applications are typically unable to benefit from quality of service (QoS) control mechanisms (e.g. priority, packet delay, guaranteed bit rate, etc.) available thereon. Instead, most over-the-top (OTT) applications (e.g., Skype, Netflix, etc.) provide services on a best-effort basis (i.e., data delivery, efficiency not guaranteed).

Differentiated Services (DiffServ) has defined a mechanism for classifying and managing network traffic on modern Internet Protocol (IP) networks, for the purposes of providing quality of service (QoS) treatment thereon. In particular, DiffServ uses a 6 bit field (i.e. a DS field) in an IP header for packet classification purposes.

In accordance with conventional DiffServ technology, a DS field may be influenced (set) by an application generating IP packets. Moreover, a virtual private network (VPN) client may copy a DiffServ header from an incoming application IP packet (that will eventually be encapsulated) to an IP header of a tunneling IP packet to extend DiffServ quality of service (QoS) treatment to a virtual private network (VPN) environment.

However, though smart phone applications, application cores in the cloud, and virtual private network (VPN) software may all influence the setting of a DS field, there is no guarantee that an Internet Protocol (IP) network (e.g. a long term evolution (LTE) network) will honor a DS field setting and provide desired quality of service (QoS) treatment, being that: first, the honoring of a DS field is not mandated by current standards and, second, triggering quality of service (QoS) treatment in such a fashion defeats the purpose of quality of service (QoS) control as, conceivably, all types of data traffic flowing through an IP network could be marked for preferential treatment by a source application.

As commercial wireless networks begin carrying data for over-the-top (OTT) mission critical applications, such as applications used by emergency dispatch personnel and emergency first responders, a best-effort treatment of over-the-top (OTT) applications will no longer be acceptable. This is especially true in times of disaster, when networks are likely heavily congested. Hence, a successful means of extending quality of service (QoS) treatment to over-the-top (OTT) applications, including over-the-top (OTT) applications transmitting data over a virtual private network (VPN) tunnel, is needed.

SUMMARY

A method and apparatus for extending conventional quality of service (QoS) treatment to over-the-top (OTT) applications transmitting data over a commercial wireless network via a virtual private network (VPN) tunnel, comprises a quality of service (QoS) server. In accordance with the principles of the present invention, an over-the-top (OTT) application server and a virtual private network (VPN) client/server routing data to/from the over-the-top (OTT) application server over a virtual private network (VPN) tunnel, are each integrated with a quality of service (QoS) server. Following integration, the over-the-top (OTT) application server and/or the virtual private network (VPN) client/server may request and get desired quality of service (QoS) treatment for application data routed by the over-the-top (OTT) application over the virtual private network (VPN) tunnel. The present invention is applicable to both single-tenant virtual private network (VPN) tunnels and multi-tenant virtual private network (VPN) tunnels.

In accordance with the principles of the present invention, a single-tenant virtual private network (VPN) tunnel (i.e. a virtual private network (VPN) tunnel that is treated as a single application) is only permitted one quality of service (QoS) designation at a time. Hence, a quality of service (QoS) designation requested for/by an application routing data over a single-tenant virtual private network (VPN) tunnel is applied to all application data routed over that virtual private network (VPN) tunnel.

Alternatively, applications routing data over a multi-tenant virtual private network (VPN) tunnel are acknowledged independently and assigned their own individual quality of service (QoS) designations. Hence, a quality of service (QoS) designation requested for/by an application routing data over a multi-tenant virtual private network (VPN) tunnel is applied to application data routed by that requesting over-the-top (OTT) application, only. In accordance with the principles of the present invention, a multi-tenant virtual private network (VPN) tunnel may define a default quality of service (QoS) designation for application data routed to/from applications that have not indicated a preferred quality of service (QoS) designation.

In accordance with the principles of the present invention, the quality of service (QoS) server forwards desired quality of service (QoS) rules embedded in a quality of service (QoS) request message to a policy and charging rules function (PCRF) on a requesting over-the-top (OTT) application/virtual private network (VPN) client devices' home mobile network operator (MNO). If a client device is roaming, then the policy and charging rules function (PCRF) on the client devices' home mobile network operator (MNO) forwards received quality of service (QoS) rules to a policy and charging rules function (PCRF) serving the client device. Quality of service (QoS) treatment is then carried out in a conventional manner by the serving policy and charging rules function (PCRF).

In accordance with the principles of the present invention, a connection between a quality of service (QoS) server and a policy and charging rules function (PCRF) is preferably established via a diameter Rx interface. Accordingly, the primary function of a quality of service (QoS) server is to translate diameter protocol messages to other communication mediums and vice versa.

In accordance with the principles of the present invention, an over-the-top (OTT) application must provide identification details and register services and application characteristics with the quality of service (QoS) server before that application is permitted to request quality of service (QoS) treatment therefrom. During registration with the quality of service (QoS) server, an over-the-top (OTT) application is required to provision one or more quality of service (QoS) application profiles, each indicating a desired level of quality of service (QoS).

In accordance with the principles of the present invention, a virtual private network (VPN) client/server must furnish relevant tunneling information to the quality of service (QoS) server before that virtual private network (VPN) client/server is permitted to request quality of service (QoS) treatment therefrom. Relevant tunneling information varies depending upon a type of virtual private network (VPN) tunnel established. In particular, during registration with the quality of service (Qos) server, a single-tenant virtual private network (VPN) tunnel is required to provision identification details and one or more quality of service (QoS) application profiles on the quality of service (QoS) server. Alternatively, during registration with the quality of service (Qos) server, a multi-tenant virtual private network (VPN) tunnel must provision identification details and adequate tunneling information on the quality of service (QoS) server, but need not preprovision any quality of service (QoS) application profiles. Tunneling information furnished to the quality of service (QoS) server for a multi-tenant virtual private network (VPN) tunnel must enable the quality of service (QoS) to identify IP packets associated with application data routed thereover.

In accordance with the principles of the present invention, a quality of service (QoS) application profile ID identifying a particular quality of service (QoS) application profile (i.e. quality of service (QoS) rules), is included in each quality of service (QoS) request message sent to the quality of service (QoS) server. A quality of service (QoS) application profile ID indicates to the quality of service (QoS) server a particular quality of service (QoS) application profile to invoke.

When an over-the-top (OTT) application server detects a termination of signaling or service on an over-the-top (OTT) application client device, the over-the-top (OTT) application server sends a quality of service (QoS) termination message to the quality of service (QoS) server, to indicate that reserved quality of service (QoS) values may be terminated on the client devices' home mobile network operator (MNO).

Likewise, a virtual private network (VPN) client/server must inform the quality of service (QoS) server when a virtual private network (VPN) tunnel has terminated.

BRIEF DESCRIPTION OF THE DRAWINGS

Features and advantages of the present invention will become apparent to those skilled in the art from the following description with reference to the drawings, in which:

FIG. 1 depicts an exemplary network structure for extending conventional quality of service (QoS) treatment to over-the-top (OTT) applications routing data over a commercial wireless network via a virtual private network (VPN) tunnel, in accordance with the principles of the present invention.

FIG. 2 depicts an exemplary quality of service (QoS) server architecture, in accordance with the principles of the present invention.

FIG. 3 depicts an exemplary process flow for extending quality of service (QoS) treatment to over-the-top (OTT) applications routing data over a commercial wireless network via a virtual private network (VPN) tunnel, in accordance with the principles of the present invention.

FIG. 4 depicts conventional encryption and encapsulation of an original IP packet, in accordance with conventional IPSec virtual private network (VPN) technology.

FIG. 5 depicts a conventional single-tenant virtual private network (VPN) tunnel.

FIG. 6 depicts a conventional multi-tenant virtual private network (VPN) tunnel.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

The present invention extends conventional quality of service (QoS) treatment to over-the-top (OTT) applications transmitting data over a commercial wireless network (e.g. a long term evolution (LTE) network) via a virtual private network (VPN) tunnel.

New wireless standards, such as long term evolution (LTE), only specify data connectivity, and do not specify any applications. Applications, rather, are expected to be facilitated via carrier-hosted application frameworks (e.g. an internet multimedia system (IMS)).

To ensure that applications carried out via carrier-hosted application frameworks operate at a desired level of quality of service (QoS) (e.g. packet delay, priority, etc.), new wireless standards have defined a policy and charging rules function (PCRF). A policy and charging rules function (PCRF) is a network element (in a long term evolution (LTE) packet core) that may be accessed by carrier-hosted application frameworks (e.g. IMS) (via a diameter protocol based interface (Rx)) for the purposes of providing quality of service (QoS) treatment to applications.

Unfortunately, applications to which policy and charging rules functions (PCRF) are expected to extend quality of service (QoS) treatment, do not include over-the-top (OTT) applications. An over-the-top (OTT) application is an application that provides services/content to a client user equipment (UE) over the Internet, absent the involvement of an Internet service provider (ISP). Hence, conventional over-the-top (OTT) applications are not facilitated via carrier-hosted application frameworks, and are thus not able to benefit from quality of service (QoS) treatment available on today's commercial wireless networks. Rather, conventional over-the-top (OTT) applications are typically forced to operate on a best-effort basis (i.e. data delivery, efficiency not guaranteed).

With the future of technology gearing towards an all IP-network (e.g. a long term evolution (LTE) network), over-the-top (OTT) applications are expected to become increasingly common. As commercial wireless networks begin carrying data for over-the-top (OTT) mission critical applications, such as those applications used by emergency dispatch personnel and emergency first responders, a best effort treatment of over-the-top (OTT) application data will no longer be acceptable.

The present invention expands a method of extending conventional quality of service (QoS) treatment to over-the-top (OTT) applications routing data over a commercial wireless network, as disclosed in co-pending and co-owned U.S. patent application Ser. No. 14/032,913, filed Sep. 20, 2013, entitled: “MECHANISMS FOR QUALITY OF SERVICE TO OVER THE TOP APPLICATIONS FOR USE IN COMMERCIAL WIRELESS NETWORKS”, claiming priority from U.S. Provisional Application No. 61/703,554, filed Sep. 20, 2012, entitled: “MECHANISMS FOR QUALITY OF SERVICE TO OVER THE TOP APPLICATIONS FOR USE IN COMMERCIAL WIRELESS NETWORKS”, and from U.S. Provisional No. 61/714,944, filed Oct. 17, 2012, entitled “MECHANISMS FOR QUALITY OF SERVICE TO OVER THE TOP APPLICATIONS FOR USE IN COMMERCIAL WIRELESS NETWORKS”, all of which are explicitly incorporated herein by reference. Mechanisms for quality of service control disclosed in U.S. patent Ser. No. 14/032,913 address a scenario wherein an over-the-top (OTT) application connects to a cloud based application infrastructure directly.

The present invention addresses a variation of the scenario described in U.S. patent application Ser. No. 14/032,913. In particular, the present invention addresses a scenario wherein an over-the-top (OTT) application client on a user equipment (UE) is connected to a cloud based over-the-top (OTT) application server via a virtual private network (VPN) connection. A conventional virtual private network (VPN) connection provides additional transport security to over-the-top (OTT) application data traversing a commercial wireless network, by tunneling original IP packets inside outer IP packets in an encrypted fashion. Mechanisms for establishing a virtual private network (VPN) tunnel appropriate to convey over-the-top (OTT) application data are well known to those skilled in the art.

In accordance with the principles of the present invention, conventional quality of service (QoS) treatment is extended to over-the-top (OTT) applications transmitting data over a commercial wireless network (e.g. a long term evolution (LTE) network) via a virtual private network (VPN) tunnel, without requiring that modifications be made to over-the-top (OTT) applications, and without requiring that over-the-top (OTT) application developers negotiate separate quality of service (QoS) agreements with mobile network operators (MNO). Moreover, the present invention extends conventional quality of service (QoS) treatment to virtual private networks (VPN) carrying over-the-top (OTT) application data without burdening virtual private networks (VPN) with network integration aspects, such as: knowledge of user location, knowledge of a policy and charging rules function (PCRF), knowledge of a long term evolution (LTE) packet core, etc.

In accordance with the principles of the present invention, an over-the-top (OTT) application server and a virtual private network (VPN) client/server carrying data to/from that over-the-top (OTT) application server over a virtual private network (VPN) tunnel, are each integrated with an inventive quality of service (QoS) server. Following integration, the over-the-top (OTT) application server and/or the virtual private network (VPN) client/server may send a quality of service (QoS) request message to the inventive quality of service (QoS) server (via an appropriate virtual private network (VPN) client/server interface or over-the-top (OTT) application interface) to request that desired quality of service (QoS) treatment (identified by a quality of service (QoS) application profile ID) be applied to application data routed by the over-the-top (OTT) application over the virtual private network (VPN) tunnel.

The inventive quality of service (QoS) server forwards quality of service (QoS) rules embedded in a quality of service (QoS) request message to a policy and charging rules function (PCRF) residing on a requesting over-the-top (OTT) application/virtual private network (VPN) client devices' home mobile network operator (MNO). If the client device is roaming, then the policy and charging rules function (PCRF) on that device's home mobile network operator (MNO) forwards quality of service (QoS) rules to a policy and charging rules function (PCRF) serving the client device. Quality of service (QoS) treatment is then carried out by the policy and charging rules function (PCRF) in a conventional manner.

In accordance with the principles of the present invention, an over-the-top (OTT) application server and/or a virtual private network (VPN) client/server may modify a previously requested level of quality of service (QoS) treatment, when a previously requested level of quality of service (QoS) treatment is not resulting in desired performance.

The inventive solution may be applied to various virtual private network (VPN) technologies, including: a layer 2 tunneling protocol (L2TP) technology, a point-to-point tunneling protocol (PPTP) technology, a transport layer security/virtual private network (VPN) technology, etc. However, for illustrative purposes, the present invention is described herein via use of an IPSec virtual private network (VPN) technology configured in tunnel mode. In accordance with conventional IPSec virtual private network (VPN) technology, all IP datagrams (including both datagram header and datagram packet) routed over a virtual private network (VPN) tunnel are first encapsulated inside new IP datagrams with IPSec headers.

FIG. 4 depicts conventional encryption and encapsulation of an original IP packet, in accordance with conventional IPSec virtual private network (VPN) technology.

In particular, an original IP packet 420 (including an original IP header 440 and an original application payload 450) is encrypted 400 a, 400 b and encapsulated in an outer IP packet 410 with an IPSec header 430 before it is routed over a conventional IPSec virtual private network (VPN) tunnel. A virtual private network (VPN) client/server also interprets an original IP packet 420 and assigns an appropriate security parameter index (SPI) value (in accordance with a preconfigured security parameter index (SPI) value) thereto before routing the IP packet over a virtual private network (VPN) tunnel. A security parameter index (SPI) value serves as an index to a conventional security association database (SADB) (i.e. a database that maintains information for a virtual private network (VPN) tunnel) maintained for a virtual private network (VPN) tunnel. A security association database (SADB) preferably includes some or all of the following information: security association information (i.e. security parameter index, IPSec protocol, IP destination address) and security policy information (i.e. IP source address, IP destination address, fully qualified domain name, source port number, destination port number, quality of service (QoS) application profile ID).

The present invention is applicable to both single-tenant virtual private network (VPN) tunnels and multi-tenant virtual private network (VPN) tunnels.

FIG. 5 depicts a conventional single-tenant virtual private network (VPN) tunnel.

In particular, a single-tenant virtual private network (VPN) tunnel 500 is always treated as a single application, regardless of how many applications 510 actually utilize the tunnel 500. Therefore, a single-tenant virtual private network (VPN) tunnel 500 is only permitted one quality of service (QoS) designation 540 at a time. In accordance with the principles of the present invention, a quality of service (QoS) designation requested for/by an application routing data over a single-tenant virtual private network (VPN) tunnel 500 is applied to all application data 510 routed over that virtual private network (VPN) tunnel 500.

FIG. 6 depicts a conventional multi-tenant virtual private network (VPN) tunnel.

As portrayed in FIG. 6, applications 530 transmitting data over a multi-tenant virtual private network (VPN) tunnel 520 are acknowledged independently and may thus be assigned their own individual quality of service (QoS) designations 550. A quality of service (QoS) designation 550 requested for/by an application routing data over a multi-tenant virtual private network (VPN) tunnel 500 is only applied to application data routed by that application.

FIG. 1 depicts an exemplary network structure for extending conventional quality of service (QoS) treatment to over-the-top (OTT) applications routing data over a commercial wireless network via a virtual private network (VPN) tunnel, in accordance with the principles of the present invention.

In particular, as depicted in FIG. 1, a quality of service (QoS) server 100 is configured to directly interface with one or more commercial wireless networks 102 a, 102 b via a conventional policy and charging rules function (PCRF) (i.e. an IP multimedia subsystem (IMS)/long term evolution (LTE) network component) 104. In accordance with the principles of the present invention, a connection between a quality of service (QoS) server 100 and a policy and charging rules function (PCRF) 104 is preferably established via a diameter Rx interface 106 (3GPP specifications 29.209, 29.214). Hence, the primary function of a quality of service (QoS) server 100 is to translate diameter protocol interface 106 messages to other communication mediums and vice versa.

Once a connection is established between a policy and charging rules function (PCRF) 104 and the quality of service (QoS) server 100, the inventive quality of service (QoS) server 100 takes on the role of a special application function (AF) connected on the backend (i.e. not accessible to a user) 110 of one or more disparate applications. The quality of service (QoS) server 100 also establishes a connection with a virtual private network (VPN) server 112 and/or virtual private network (VPN) client 118, when application data exchanged between an over-the-top (OTT) application client 120 and an over-the-top (OTT) application server 110 happens over a virtual private network (VPN) tunnel 114.

As depicted in FIG. 1, the inventive quality of service (QoS) server 100 uses a secure virtual private network (VPN) client/server interface 116 to interface with a virtual private network (VPN) client 118/server 112 on either end of a virtual private network (VPN) tunnel 114. In accordance with the principles of the present invention, virtual private network (VPN) clients 118/servers 112 use the virtual private network (VPN) client/server interface 116 to provide relevant tunneling information to the quality of service (QoS) server 100. Relevant tunneling information enables the quality of service (QoS) server 100 to identify IP packets associated with over-the-top (OTT) application data transmitted over a virtual private network (VPN) tunnel 114.

In accordance with the principles of the present invention, a virtual private network (VPN) tunnel 114 is established between a virtual private network (VPN) client 118 on a user equipment 108, and a fixed infrastructure virtual private network (VPN) server 112, so that data traffic transmitted to/from one or more over-the-top (OTT) application clients 120 on the user equipment (UE) 108 may traverse the virtual private network (VPN) tunnel 114. A virtual private network (VPN) tunnel 114 encrypts and encapsulates an original IP packet inside an outer IP packet while the IP packet is traversing a commercial wireless network. An underlying commercial wireless network 102 a, 102 b is typically configured to provide a certain level of quality of service (QoS) treatment to traffic traversing a virtual private network (VPN) tunnel 114.

In accordance with the principles of the present invention, the quality of service (QoS) server 100 must be able to communicate with backend applications 110, carrier policy and charging rules (PCRF) function(s) 104, and virtual private network (VPN) clients 118/servers 112, simultaneously. Simultaneous communication may be permitted via a firewall setting and/or other network configuration rules.

In accordance with the principles of the present invention, a quality of service (QoS) server 100 may be located separate from a mobile network operator (MNO) 102 a, 102 b or co-located with a mobile network operator (MNO) 102 a, 102 b. Possible mobile network operator (MNO) integration targets currently include: a universal mobile telecommunications system (UMTS), long term evolution (LTE) technology, an evolved-universal mobile telecommunications system (E-UMTS), long term evolution (LTE) technology advanced, and Wi-Fi. The quality of service (QoS) server 100 may easily be extended to support additional network interfaces as technology evolves.

FIG. 2 depicts an exemplary quality of service (QoS) server architecture, in accordance with the principles of the present invention.

In particular, as portrayed in FIG. 2, the inventive quality of service (QoS) server 100 interacts with a mobile network operator (MNO) policy and charging rules function (PCRF) interface (a diameter protocol interface) 106, an over-the-top (OTT) application interface 210, a number portability database (NPDB) interface 240, and a virtual private network (VPN) client/server interface 116 to extend quality of service (QoS) treatment to applications routing data over a commercial wireless network 102 a, 102 b via a virtual private network (VPN) tunnel 114.

In accordance with the principles of the present invention, the quality of service (QoS) server 100 maintains profiles and information for over-the-top (OTT) applications in a local application information database 220, tunneling and IP packet information for registered virtual private network (VPN) tunnels in a local virtual private network (VPN) tunneling information database 250, and home mobile network operator (MNO) information for over-the-top (OTT) application client devices in a local mobile network operator (MNO) information database 230.

If by chance the quality of service (QoS) server 100 is not able to find home mobile network operator (MNO) information for a requesting client device 108 in the local mobile network operator (MNO) information database 230, then the quality of service (QoS) server 100 accesses a number portability database (NPDB) interface 240 to retrieve relevant home mobile network operator (MNO) information from an external number portability database (NPDB) 270.

The over-the-top (OTT) application interface 210, as depicted in FIG. 2, is designed to operate over a secure, transport layer security (TLS)/secure sockets layer (SSL) communications channel that utilizes representational state transfer (REST) hypertext transfer protocol (HTTP), hypertext transfer protocol (HTTP), simple object access protocol (SOAP), extensible markup language (XML), etc., message formats. New mediums for the over-the-top (OTT) application interface 210 may be defined and used, as appropriate, as long as application quality of service (QoS) message formats (i.e. attributes and corresponding values included in application quality of service messages) conform minimally to application quality of service (QoS) message formats described herein (i.e. an application quality of service (QoS) request message format, an application quality of service (QoS) response message format, and an application quality of service (QoS) termination message format).

As previously stated, the quality of service (QoS) server 100 uses a diameter Rx protocol (3GPP 29.214) to interface 106 with a mobile network operator (MNO) policy and charging rules function (PCRF) 104. A mobile network operator (MNO) policy and charging rules function (PCRF) interface 106, as depicted in FIG. 2, provides discovery and addressing of a home policy and charging rules function (HPCRF) 104 assigned to a requesting over-the-top (OTT) application/virtual private network (VPN) client device 108. The mobile network operator (MNO) policy and charging rules function (PCRF) interface 106 is also enhanced to allow tracking registration of the following IP header information: a virtual private network (VPN) security parameter index (SPI) (per RFC 2401, as required with IPSec protocol by a virtual private network (VPN) client/server) and an IPSec protocol (per RFC 2401).

In accordance with the principles of the present invention, the quality of service (QoS) server 100 assumes the role of an application function (AF) and complies with policy and charging rules function (PCRF) 104 discovery and addressing, as described in a 3GPP series 29.213 specification. In support of this 3GPP series 29.213 specification, the quality of service (QoS) server 100 preferably maintains a table with a fully qualified domain name (FQDN) or internet protocol (IP) address of a policy and charging rules function (PCRF) 104, for each supported single policy and charging rules function (PCRF) mobile network operator (MNO), and a diameter routing agent, for each supported multi-policy and charging rules function (PCRF) mobile network operator (MNO).

The quality of service (QoS) server 100 interfaces with a home policy and charging rules function (HPCRF) 104, regardless as to whether or not a client user equipment (UE) 108 is roaming. A home policy and charging rules function (HPCRF) 104 coordinates a download of quality of service (QoS) rules to a visiting policy and charging rules function (VPCRF) in a roaming network (per 3GPP standards) when a requesting client user equipment (UE) 108 is roaming.

In accordance with the principles of the present invention, number portability databases (NPDB) 270 and the local mobile network operator (MNO) information database 230 (as shown in FIG. 2) support multiple transaction capabilities application part (TCAP) based protocols (e.g., advanced intelligent network (AIN), intelligent network application protocol (INAP), American national standards institute ((ANSI)-41), etc.) for number portability queries, since such protocols support queries from both wireline and wireless networks based on various standards. The quality of service (QoS) server 100 preferably uses a number portability request (NPREQ) TCAP query (per telecommunications industry association/electronic industries association (TIA/EIA)-756A and telecommunications industry association/electronic industries association (TIA/EIA) ANSI41-D specifications) to determine a current mobile network operator (MNO) associated with an over-the-top (OTT) application client device 108. The quality of service (QoS) server 100 may easily be extended to support other protocols for number portability lookup.

As previously stated, the quality of service (QoS) server 100 uses a virtual private network (VPN) client/server interface 116 to interface with a virtual private network (VPN) client 118 and/or a virtual private network (VPN) server 112. The virtual private network (VPN) client/server interface 116, as portrayed in FIG. 2, is designed to operate over a secure transport layer security (TLS)/secure sockets layer (SSL) communications channel that utilizes representational state transfer (REST) hypertext transfer protocol (HTTP), hypertext transfer protocol (HTTP), simple object access protocol (SOAP), extensible markup language (XML), etc., message formats. The quality of service (QoS) server 100 may also/alternatively interface with a virtual private network (VPN) client 118 via a wireless network connection 260.

New mediums for the virtual private network (VPN) client/server interface 116 may be defined and used as appropriate, as long as VPN quality of service (QoS) message formats (i.e. attributes and corresponding values included in VPN quality of service (QoS) messages) conform minimally to VPN quality of service (QoS) message formats described herein (i.e. a VPN quality of service (QoS) request message format, a VPN quality of service (QoS) response message format, and a VPN quality of service (QoS) termination message format). Depending upon the implementation, a VPN quality of service (QoS) message may additionally be embedded in a defined message format, e.g., a radius or diameter message format.

FIG. 3 depicts an exemplary process flow for extending quality of service (QoS) treatment to over-the-top (OTT) applications routing data over a commercial wireless network via a virtual private network (VPN) tunnel, in accordance with the principles of the present invention.

In particular, as shown in step 1 a of FIG. 3, a virtual private network (VPN) tunnel performs VPN profile configuration with a quality of service (QoS) server 100 via an authenticated virtual private network (VPN) client/server interface 116. During virtual private network (VPN) profile configuration, a virtual private network (VPN) client/server furnishes relevant tunneling information to the quality of service (QoS) server 100 for a virtual private network (VPN) tunnel established therebetween. Relevant tunneling information varies depending upon the type of virtual private network (VPN) tunnel established.

In particular, a single-tenant virtual private network (VPN) tunnel 500 provisions one or more quality of service (QoS) application profiles (and corresponding quality of service application profile IDs) on the quality of service (QoS) server 100 during VPN profile configuration. A quality of service (QoS) application profile includes tunnel identification details and indicates a desired level of quality of service (QoS) treatment.

Alternatively, a multi-tenant virtual private network (VPN) tunnel 520 provisions identification details on the quality of service (QoS) server 100 during VPN profile configuration, but need not provision any quality of service application profiles. Rather, over-the-top (OTT) applications 530 utilizing a multi-tenant virtual private network (VPN) tunnel 520 provision their own quality of service (QoS) application profiles on the quality of service (QoS) server 100 during application profile configuration, performed in step 1 b. A quality of service (QoS) designation requested by an over-the-top (OTT) application transmitting data over a multi-tenant virtual private network (VPN) tunnel 520 is associated to that multi-tenant virtual private network (VPN) tunnel 520.

In accordance with the principles of the present invention, a multi-tenant virtual private network (VPN) 520 tunnel must provide adequate tunneling information (including IPSec security policy and IPSec security association information) to the quality of service (QoS) server 100 during VPN profile configuration. Adequate tunneling information is any information that enables the quality of service (QoS) server 100 to determine actual IP header information 440 associated with application data routed over the multi-tenant virtual private network (VPN) tunnel 520. Moreover, tunneling information must enable the quality of service (QoS) server 100 to adequately communicate quality of service (QoS) rules defined in a quality of service (QoS) request message to a relevant policy and charging rules function (PCRF) 104.

Table 1 depicts exemplary tunneling information provided to the quality of service (QoS) server during virtual private network (VPN) profile configuration.

TABLE 1 Security Association (Tunnel Header Information) Security Policy Information (For Encapsulated Traffic) Fully Security IP IP Qualified Destination QoS- Parameter IPSec Destination IP Source Destination Domain Source Port Port Application- Index Protocol Address Address Address Name Number Number Profile-ID

In particular, as portrayed in Table 1, IPSec security policy information (for encapsulated data traffic) and IPSec security association information (tunnel header information) relevant to a virtual private network (VPN) tunnel is provided to the quality of service (QoS) server 100 during VPN profile configuration (step 1 a). Relevant IPSec security policy information preferably includes: an IP source address, an IP destination address, a fully qualified domain name, a source port number, a destination port number, and a quality of service application profile ID. Relevant IPSec security association information preferably includes: a security parameter index, an IPSec protocol, and an IP destination address.

Updated tunneling information must be furnished to the quality of service (QoS) server 100 for each new virtual private network (VPN) tunnel that is established. In accordance with the principles of the present invention, tunneling information may either be preprovisioned on the quality of service (QoS) server 100 during VPN profile configuration, or provided to the quality of service (QoS) server 100 dynamically, via use of a VPN quality of service (QoS) registration message.

As portrayed in step 1 b of FIG. 3, an application performs application profile configuration on the quality of service (QoS) server 100 via an authenticated over-the-top (OTT) application interface 210. In accordance with the principles of the present invention, an over-the-top (OTT) application must provide identification details and register services and application characteristics with a quality of service (QoS) server 100 before that application is permitted to request quality of service (QoS) treatment therefrom. For security purposes, the quality of service (QoS) server 100 only accepts registration attempts from over-the-top (OTT) applications for which the quality of service (QoS) server 100 has been pre-configured to accept registration attempts. Therefore, not all over-the-top (OTT) applications are permitted to register with a quality of service (QoS) server 100. Moreover, over-the-top (OTT) applications that are granted registration with a quality of service (QoS) server 100 are only permitted to receive levels of quality of service (QoS) treatment for which they have been pre-authorized to receive. Quality of service (QoS) requests are validated by the quality of service (QoS) server 100 before they are processed. An over-the-top (OTT) application also identifies service abilities and provisions one or more quality of service (QoS) application profiles on the quality of service (QoS) server 100 during application profile configuration.

However, before an over-the-top (OTT) application can register and provision quality of service (QoS) application profiles on the quality of service (QoS) server 100, the quality of service (QoS) server 100 must first collect the following data from the over-the-top (OTT) application (more characteristics may be required as new application characteristics present themselves): an over-the-top (OTT) application identifier, over-the-top (OTT) access credentials, one or more quality of service (QoS) application profile IDs, over-the-top (OTT) application characteristics, and one or more mobile network operator (MNO) associations.

In accordance with the principles of the present invention, an over-the-top (OTT) application identifier is a unique string (synchronized with a carrier provided “AF-Application-Identifier”) that is provided to an over-the-top (OTT) application via an out-of-band mechanism. An over-the-top (OTT) application identifier may be prefixed with quality of service (QoS) unique identifiers for use on the quality of service (QoS) server 100.

Over-the-top (OTT) access credentials (e.g. a secret/password or public key infrastructure (PKI) verification) are a set of credentials agreed upon by an over-the-top (OTT) application and the quality of service (QoS) server 100 in an out of band manner.

A quality of service (QoS) application profile ID is a quality of service (QoS) specific value, defined per application identifier. More particularly, the quality of service (QoS) application profile ID is defined by the quality of service (QoS) server 100 and provided to an over-the-top (OTT) application via an out of band mechanism.

In accordance with the principles of the present invention, a quality of service (QoS) application profile ID points to a quality of service (QoS) application profile that is to be provisioned for an over-the-top (OTT) application. A quality of service (QoS) application profile contains application details (e.g. service characteristics, etc.) and indicates a desired level of quality of service (QoS) treatment. A quality of service (QoS) application profile ID is referenced in each quality of service (QoS) request message sent to the quality of service (QoS) server 100, to indicate to the quality of service (QoS) server 100 a particular quality of service (QoS) application profile to invoke. In accordance with the principles of the present invention, an over-the-top (OTT) application may provision multiple quality of service (QoS) application profiles to indicate varying levels of desired quality of service (QoS).

Over-the-top (OTT) application characteristics provided to the quality of service (QoS) server 100 during application profile configuration include (this list may be extended as new requirements develop, either by 3GPP specifications or via over-the-top (OTT) evolution): a media component number (i.e. an ordinal number of a media component), a media sub-component (i.e. a set of flows for one flow identifier), an application identifier, a media type (e.g. audio (0), video (1), data (2), application (3), control (4), text (5), message (6), other (0xFFFFFFFF)), a maximum requested bandwidth (Bw) uplink (UL), a maximum requested bandwidth (Bw) downlink (DL), a flow status, a reservation priority, RS bandwidth (Bw), RR bandwidth (Bw), codec data, and a tunnel encapsulation indicator, e.g., yes, no, IPSec, etc.

In accordance with the principles of the present invention, a media sub-component field may include the following characteristics: a flow number (i.e. an ordinal number of the IP flow), a flow description (e.g. uplink (UL) and/or downlink (DL)), a flow status, flow usage, a maximum requested bandwidth (Bw) uplink (UL), a maximum requested bandwidth (Bw) downlink (DL), and an application function (AF) signaling protocol.

Moreover, a mobile network operator (MNO) associations field provided to the quality of service (QoS) server 100 during application profile configuration identifies all of the networks for which an over-the-top (OTT) application is authorized to designate quality of service (QoS) settings. Values in a mobile network operator (MNO) associations field are defined per quality of service (QoS) implementation and represent system logical identifiers for the purposes of routing communications to particular policy and charging rules (PCRF) functions.

In accordance with the principles of the present invention, once required application data is furnished to the quality of service (QoS) server 100, an over-the-top (OTT) application provisions one or more quality of service (QoS) application profiles on the quality of service (QoS) server 100. Following quality of service (QoS) application profile provisioning, the over-the-top (OTT) application may begin submitting registrations to the quality of service (QoS) server 100, on a per user equipment (UE) basis. In accordance with the principles of the present invention, an over-the-top (OTT) application is required to register with the quality of service (QoS) server 100 periodically.

Following application profile configuration, an over-the-top (OTT) application may send quality of service (QoS) requests to the quality of service (QoS) server 100, on a per user equipment (UE) basis.

As shown in steps 2 a and 2 b of FIG. 3, a virtual private network (VPN) tunnel 114 is established between a virtual private network (VPN) client 118 on a user equipment (UE) 108 and a fixed infrastructure virtual private network (VPN) server 112, so as to allow data traffic transmitted to/from one or more over-the-top (OTT) application clients 120 (that have undergone application profile configuration on the quality of service (QoS) server 100) on the user equipment (UE) 108 to traverse the tunnel 114.

In accordance with the principles of the present invention, the virtual private network (VPN) client 118/server 112 sends a VPN quality of service (QoS) registration message with appropriate tunneling information to the quality of service (QoS) server 100 during VPN tunnel establishment, as depicted in steps 3 a and 3 b of FIG. 3. Upon receipt of the VPN quality of service (QoS) registration message, the quality of service (QoS) server 112 returns a VPN quality of service (QoS) registration response message to the virtual private network (VPN) client 118/server 112, as depicted in steps 4 a and 4 b of FIG. 3. VPN tunneling information may alternatively be provisioned on the quality of service (QoS) server 100 during VPN profile configuration.

Once VPN registration with the quality of service (QoS) server 100 is complete, the virtual private network (VPN) client 118/server 112 may send a VPN quality of service (QoS) request message to the quality of service (QoS) server 100 to request desired quality of service (QoS) treatment therefrom, as shown in steps 5 a and 5 b of FIG. 3.

In accordance with the principles of the present invention, VPN quality of service (QoS) registration and request messages preferably include: a message ID (i.e. an identifier defined by, and unique to, a requesting virtual private network (VPN) server 112/client 118), a quality of service (QoS) application profile ID (optional), a publically available mobile network assigned source framed internet protocol (IP) address (an attribute-value pair (AVP)) or framed IPv6 prefix (an attribute-value pair (AVP), RFC 4005 [12]), a flow description (an attribute-value pair (AVP), 3GPP 29.214), a virtual private network (VPN) security parameter index (SPI) (per RFC 2041, as required with IPSec protocol by the virtual private network (VPN) client/server), an IPSec protocol (per RFC 2041), a virtual private network (VPN) IP destination (i.e. a routable IP address for the virtual private network (VPN) server), and a VPN-CS.

A quality of service (QoS) application profile ID in a VPN quality of service (QoS) request message indicates a desired level of quality of service (QoS) treatment. A quality of service (QoS) application profile ID is required in a VPN quality of service (QoS) request message when the message is provided to the quality of service (QoS) server 100 dynamically. Otherwise, the quality of service (QoS) server 100 derives a quality of service (QoS) application profile ID based on a combination of values embedded in the VPN quality of service (QoS) request message.

A flow description is required in a VPN quality of service (QoS) request message when a quality of service (QoS) application profile ID is not provided therein. In accordance with the principles of the present invention, a flow description must comprise one of the following two directions: ‘in’ or ‘out’, whereas direction ‘in’ refers to an uplink (UL) IP flow and direction ‘out’ refers to a downlink (DL) IP flow. A flow description may also contain: a source and destination IP address (possibly masked), a protocol and a source and destination port (a source port may be omitted to indicate that any source port is allowed). Lists and ranges may not be used to indicate source and/or destination ports.

In accordance with the principles of the present invention, the quality of service (QoS) server 100 accepts VPN quality of service (QoS) request messages from both a virtual private network (VPN) client 118 and a virtual private network (VPN) server 112. Hence, depending upon the implementation, some information may be missing from a VPN quality of service (QoS) request message.

When both a virtual private network (VPN) server 112 and a virtual private network (VPN) client 118 send a VPN quality of service (QoS) request message to the quality of service (QoS) server 100 for a single VPN connection 114, messages from each source must include a reference to the other, to enable the quality of service (QoS) server 100 to successfully assemble all relevant information and assign an appropriate quality of service (QoS) designation to over-the-top (OTT) application data traversing the virtual private network (VPN) connection 114. A VPN-CS field is preferably used to provide such a reference.

In particular, when VPN quality of service (QoS) request messages are sent by both a virtual private network (VPN) server 112 and a virtual private network (VPN) client 118 for a single virtual private network (VPN) connection 114, optional attribute tag, ‘VPN-CS’ is preferably included therein. Optional attribute tag ‘VPN-CS’ contains a unique message identifier that is used by both a virtual private network (VPN) server 112 and a virtual private network (VPN) client 118, to show that messages refer to a single virtual private network (VPN) connection 114.

As shown in step 6 of FIG. 3, the quality of service (QoS) server 100 performs VPN quality of service (QoS) request message validation in response to a VPN quality of service (QoS) request message received thereon. In particular, during VPN quality of service (QoS) request message validation, the quality of service (QoS) server 100 validates a quality of service (QoS) application profile ID received in the VPN quality of service (QoS) request message.

In accordance with the principles of the present invention, the quality of service (QoS) server 100 may either determine a quality of service (QoS) application profile ID directly or indirectly from the VPN quality of service (QoS) request message. Indirect determination of a quality of service (QoS) application profile ID includes analyzing and matching VPN quality of service (QoS) request message parameters to an appropriate quality of service (QoS) application profile ID. Once a quality of service (QoS) application profile ID is determined, the quality of service (QoS) server 100 performs one of the following two potential courses of action, depending upon the type of virtual private network (VPN) tunnel 114 established in steps 2 a-4 b.

In particular, if the virtual private network tunnel (VPN) 114 is a multi-tenant virtual private network (VPN) tunnel 520, then the quality of service (QoS) server 100 records and tracks virtual private network (VPN) 114 tunneling information received in the VPN quality of service (QoS) request message in a virtual private network (VPN) tunneling information database 250, and subsequently returns a VPN quality of service (QoS) response message to the requesting virtual private network (VPN) client 118/server 112, as depicted in step 7. In accordance with the principles of the present invention, the quality of service (QoS) server 100 then waits to receive an application quality of service (QoS) registration message or an application quality of service (QoS) termination message from an over-the-top (OTT) application routing or attempting to route data over the virtual private network (VPN) tunnel 114.

In a multi-tenant virtual private network (VPN) scenario, if a quality of service (QoS) application profile ID received in an application quality of service (QoS) request message differs from a quality of service (QoS) application profile ID embedded in a VPN quality of service (QOS) request message, the quality of service (QoS) application profile ID in the application quality of service (QoS) request message is used to influence quality of service (QoS) treatment.

Alternatively, if the virtual private network tunnel (VPN) 114 established in steps 2 a-4 b is a single-tenant virtual private network (VPN) tunnel 500, then the quality of service (QoS) server 100 immediately applies quality of service (QoS) rules received in the VPN quality of service (QoS) registration or request message to all application data routed over the virtual private network (VPN) tunnel 114. The quality of service rules are extracted from the VPN quality of service (QoS) registration message if that is the only message received and VPN quality of services (QoS) request message if both are received.

In particular, when a VPN quality of service (QoS) registration (or request if received) message is received from a single-tenant virtual private network (VPN) client 118/server 112, the quality of service (QoS) server 100 queries a local mobile network operator (MNO) information database 230 to retrieve home mobile network operator (MNO) information for the over-the-top (OTT) application/virtual private network (VPN) client device 108, as depicted in step 8. If the quality of service (QoS) server 100 cannot find home mobile network operator (MNO) information for the client device in the local mobile network operator (MNO) information database 230, then the quality of service (QoS) server 100 alternatively queries an external number portability database (NPDB) 270 via a number portability database (NPDB) interface 240. Results from either the number portability database (NPDB) 270 or the local mobile network operator (MNO) information database 230 provide the quality of service (QoS) server 100 with enough information to determine a home mobile network operator (MNO) for the over-the-top (OTT) application/VPN client device 108 (step 9).

Once a home mobile network operator (MNO) is identified, the quality of service (QoS) server 100 uses the quality of service (QoS) application profile ID defined in the VPN quality of service (QoS) registration (or request if received) message to determine whether or not over-the-top (OTT) applications routing data over the virtual private network (VPN) tunnel are authorized to influence quality of service (QoS) treatment on the home mobile network operator (MNO) (step 10). In this particular example, there is only one over-the-top (OTT) application configured to transmit data over the virtual private network (VPN) tunnel 114.

In accordance with the principles of the present invention, if the over-the-top (OTT) application configured to route data over the virtual private network (VPN) tunnel 114 is permitted to influence quality of service (QoS) settings on the home mobile network operator (MNO), then the quality of service (QoS) server 100 sends a diameter authentication/authorization request (AAR) message with appropriate quality of service (QoS) information to a policy and charging rules function (PCRF) 104 on the client devices' 108 home mobile network operator (MNO), as shown in step 11.

In step 12, the policy and charging rules function (PCRF) 104 on the client devices' 108 home mobile network operator (MNO) receives the quality of service (QoS) information and returns a diameter authentication/authorization answer (AAA) message to the quality of service (QoS) server 100.

Upon receipt of the diameter authentication/authorization answer (AAA) message, the quality of service (QoS) server 100 sends a VPN quality of service (QoS) response message to the requesting VPN client 118/server 112, as depicted in step 13.

In accordance with the principles of the present invention, a VPN quality of service (QoS) response message preferably includes: a message ID, an application identifier, and a status identifier.

A status identifier included in a status field of a VPN quality of service (QoS) response message may be any one or more of the following: a success status identifier (100), a quality of service (QoS) system failure status identifier (200) (indicating a default failure or unexpected failure with no available details), a failed validation of application identifier/access credentials status identifier (201), a failed validation of quality of service (QoS) profile ID status identifier (202), a quality of service (QoS) system failure reserved message status identifier (defined per quality of service (QoS) implementation and used to explain a unique system failure) (203-299), a PCRF unavailable status identifier (300), and/or an AAR/AAA message failure status identifier (400), wherein the entire contents of the AAA message is embedded in the status field.

Once the virtual private network (VPN) tunnel 114 is setup between the virtual private network (VPN) client 118 on the user equipment 108 and the virtual private network (VPN) server 112, the over-the-top (OTT) application client 120 configured to route data over the virtual private network (VPN) tunnel 114 may use the virtual private network (VPN) tunnel 114 to register with a corresponding over-the-top (OTT) application server 110 (via a Gi/SGi interface 310), as shown in steps 14 a and 14 b of FIG. 3.

When the over-the-top (OTT) application server 110 receives a service registration request from the over-the-top (OTT) application client 120, the over-the-top (OTT) application server 110 may attempt to establish a mutually authenticated (client 120 and server 110) transport layer security (TLS)/secure sockets layer (SSL) connection with the inventive quality of service (QoS) server 100 (via standard TLS/SSL procedures for mutual authentication), as shown in step 15.

If the initial mutual authentication step is successful, then the over-the-top (OTT) application server 110 sends an application quality of service (QoS) request message to the quality of service (QoS) server 100 to request that a desired level of quality of service (QoS) treatment be applied to application data routed by that over-the-top (OTT) application over the virtual private network (VPN) tunnel 114, as portrayed in step 16.

In accordance with the principles of the present invention, a quality of service (QoS) request message preferably includes: a message ID (i.e. an identifier defined by, and unique to, a requesting over-the-top (OTT) application), an application identifier (as described in 3GPP series 29.214 specification), access credentials (e.g. a secret/password public key infrastructure (PKI) verification, etc.), a quality of service (QoS) application profile ID, a source framed internet protocol (IP) address (an attribute-value pair (AVP)) or framed IPv6 prefix (an attribute-value pair (AVP), RFC 4005 [12]), a service uniform resource name (URN) (an attribute-value pair (AVP), 3GPP 29.214), a reservation priority (TS 183.017 [15]) (a vendor ID shall be set to european telecommunications standards institute (ETSI) (13019) [15]), a subscription ID (RFC 4006 [14]) identifying a particular subscription (e.g. international mobile subscriber identity (IMSI), mobile subscriber integrated services digital network (MSISDN), etc.), and a flow description (an attribute-value pair (AVP), 3GPP 29.214).

A flow description in an application quality of service (QoS) request message must comprise one of the following two directions: ‘in’ or ‘out’, whereas direction ‘in’ refers to an uplink (UL) IP flow and direction ‘out’ refers to a downlink (DL) IP flow. A flow description in an application quality of service (QoS) request message may also contain: a source and destination IP address (possibly masked), a protocol, and a source and destination port (a source port may be omitted to indicate that any source port is allowed). Lists and ranges may not be used to indicate source and/or destination ports.

A quality of service (QoS) application profile ID in an application quality of service (QoS) request message indicates appropriate quality of service (QoS) information to send to a home policy and charging rules function (PCRF) 104.

In accordance with the principles of the present invention, the quality of service (QoS) server 100 performs application quality of service (QoS) request message validation in response to an application quality of service (QoS) request message received thereon, as portrayed in step 17 of FIG. 3.

During application quality of service (QoS) request message validation, the quality of service (QoS) server 100 validates the application identifier, access credentials (e.g. a secret/password public key infrastructure (PKI) verification, etc.), and quality of service (QoS) application profile ID received in the application quality of service (QoS) request message, against application profiles maintained in a local application information database 220. The quality of service (QoS) server 100 validates the format and values of application quality of service (QoS) request message attributes in accordance with a 3GPP series 29.214 specification.

When application quality of service (QoS) request message validation is complete, the quality of service (QoS) server 100 queries a local mobile network operator (MNO) information database 230 to retrieve home mobile network operator (MNO) information for the requesting over-the-top (OTT) application client device 108, as depicted in step 18. If the quality of service (QoS) server 100 cannot find home mobile network operator (MNO) information for the requesting client device 108 in the local mobile network operator (MNO) information database 230, then the quality of service (QoS) server 100 alternatively queries an external number portability database (NPDB) 270 via a number portability database (NPDB) interface 240. Results from either the number portability database (NPDB) 270 or the local mobile network operator (MNO) information database 230 provide the quality of service (QoS) server 100 with enough information to determine a home mobile network operator (MNO) for the requesting client device 108.

Once a home mobile network operator (MNO) is identified (step 19), the quality of service (QoS) server 100 uses a quality of service (QoS) application profile ID, defined in the application quality of service (QoS) request message, to determine whether or not the requesting over-the-top (OTT) application is authorized to influence quality of service (QoS) treatment on the home mobile network operator (MNO).

In step 20 of FIG. 3, if the over-the-top (OTT) application is permitted to influence quality of service (QoS) settings on the home mobile network operator (MNO), then the quality of service (QoS) server 100 queries a local virtual private network (VPN) tunneling information database 250 to determine actual IP packet information associated with application data routed by the over-the-top (OTT) application over the virtual private network (VPN) tunnel 114.

In step 21 of FIG. 3, the quality of service (QoS) server 100 sends a diameter authentication/authorization request (AAR) message with appropriate quality of service (QoS) information and appropriate IP tunneling data to a policy and charging rules function (PCRF) 104 on the client devices' 108 home mobile network operator (MNO). Appropriate quality of service (QoS) information depends on the type of virtual private network (VPN) tunnel 114 routing data.

In particular, if the virtual private network (VPN) tunnel 114 is a single-tenant virtual private network (VPN) tunnel 520, then the diameter authentication/authorization request (AAR) message assigns quality of service (QoS) rules defined in the application quality of service (QoS) request message to all application data routed over the virtual private network (VPN) tunnel 114, as previously described in steps 11-13. This assignment allows mapping to the application quality of service (QoS) request message.

Rather, if the virtual private network (VPN) tunnel 114 is a multi-tenant virtual private network (VPN) tunnel 500, then the quality of service (QoS) server 100 assigns quality of service (QoS) rules defined in the application quality of service (QoS) request message to application data being routed for the requesting over-the-top (OTT) application, only. In particular, the quality of service (QoS) server 100 sends a diameter authentication/authorization request (AAR) message with appropriate quality of service (QoS) rules and appropriate tunnel packet identification information to a policy and charging rules function (PCRF) 104 on the client devices' 108 home mobile network operator (MNO). Tunnel packet identification information sent to the policy and charging rules function (PCRF) must enable the policy and charging rules function (PCRF) to identify which tunnel packets to assign the requested quality of service (QoS) designation.

As portrayed in step 22, the policy and charging rules function (PCRF) 104 on the client devices' 108 home mobile network operator (MNO) receives quality of service (QoS) information and returns a diameter authentication/authorization answer (AAA) message to the quality of service (QoS) server 100.

In step 23, the quality of service (QoS) server 100 sends a quality of service (QoS) application response message with an appropriate status value to the over-the-top (OTT) application server 110.

In accordance with the principles of the present invention, a quality of service (QoS) application response message preferably comprises: a message ID, an application identifier, and a status identifier.

A status identifier included in a status field of a quality of service (QoS) application response message may be any one or more of the following: a success status identifier (100), a quality of service (QoS) system failure status identifier (200) (indicating a default failure or unexpected failure with no available details), a failed validation of application identifier/access credentials status identifier (201), a failed validation of quality of service (QoS) profile ID status identifier (202), a quality of service (QoS) system failure reserved message status identifier (defined per quality of service (QoS) implementation and used to explain a unique system failure) (203-299), a PCRF unavailable status identifier (300), and/or an AAR/AAA message failure status identifier (400), wherein the entire contents of the AAA message is embedded in the status field.

Once quality of service (QoS) rules have been forwarded to the policy and charging rules function (PCRF) 104 on the client devices' 108 home mobile network operator (MNO), the over-the-top (OTT) application client 120 can proceed to transmit and consume data for service delivery purposes (i.e. the over-the-top (OTT) client 120 delivers a service as available to its' functionality and thereby consumes IP bandwidth as a result of service fulfillment). In particular, as depicted in steps 24 a and 24 b of FIG. 3, the over-the-top (OTT) application client 120 on the user equipment 108 either initiates or receives a request to begin service fulfillment.

As shown in step 25, once a request for service fulfillment is received (or initiated) on the over-the-top (OTT) application server 110 (via a Gi/SGi interface 310), the over-the-top (OTT) application server 110 attempts to establish a mutually authenticated (client 120 and server 110) transport layer security (TLS)/secure sockets layer (SSL) connection with the quality of service (QoS) server 100 (following standard transport layer security (TLS)/secure sockets layer (SSL) procedures for mutual authentication).

As portrayed in step 26, if the initial mutual authentication step is successful, the over-the-top (OTT) application server 110 sends an application quality of service (QoS) request message over the virtual private network (VPN) tunnel 114 to the quality of service (QoS) server 100, to request that a desired level of quality of service (QoS) treatment be applied to application data routed by the over-the-top (OTT) application over the virtual private network (VPN) tunnel 114.

As depicted in steps 27-33, the quality of service (QoS) server 100 then performs application quality of service (QoS) request message validation on the received application quality of service (QoS) request message, identifies a home mobile network operator (MNO) for the requesting client user equipment (UE) 108, sends appropriate quality of service (QoS) data to a home policy and charging rules function (PCRF) 104 based on the type of virtual private network (VPN) tunnel 114 routing application data, and subsequently forwards a quality of service (QoS) application response message to the over-the-top (OTT) application server 110, as previously described in steps 17-23.

In accordance with the principles of the present invention, once signaling or data services are terminated on the over-the-top (OTT) application client device 108, the over-the-top (OTT) application server 110 informs the quality of service (QoS) server 100 of the service termination, to trigger reserved quality of service (QoS) values to be terminated on the client devices' 108 home mobile network operator (MNO).

In particular, as depicted in step 34 of FIG. 3, when the over-the-top (OTT) application server 110 detects a termination of signaling or service on the over-the-top (OTT) application client user equipment (UE) 108, the over-the-top (OTT) application server 110 attempts to establish a mutually authenticated (client 120 and server 110) TLS/SSL connection with the quality of service (QoS) server 100 (following standard TLS/SSL procedures for mutual authentication).

As portrayed in step 35, if the initial mutual authentication step is successful, the over-the-top (OTT) application server 110 sends an application quality of service (QoS) termination message to the quality of service (QoS) server 100.

In accordance with the principles of the present invention, an application quality of service (QoS) termination message preferably includes: a message ID (an identifier defined by, and unique to, a requesting over-the-top (OTT) application), an application identifier (as described in 3GPP series 29.214 specification), access credentials (e.g. a secret/password public key infrastructure (PKI) verification, etc.), a quality of service (QoS) application profile ID, a source framed IP address (an attribute-value part (AVP)) or framed IPv6 prefix (an attribute-value part (AVP), RFC 4005 [12]), a service uniform resource name (URN) (an attribute-value part (AVP), 3GPP 29.214), a reservation priority (TS 183.017 [15]) (a vendor is preferably set to european telecommunications standards institute (ETSI) (13019) [15]), and a subscription ID (RFC 4006 [14]), identifying a particular subscription, e.g., international mobile subscriber identity (IMSI), mobile station integrated services digital network (MSISDN), etc.

In response to an application quality of service (QoS) termination message, the quality of service (QoS) server 100 performs application quality of service (QoS) termination message validation, as portrayed in step 36. During application quality of service (QoS) termination message validation, the quality of service (QoS) server 100 validates the application identifier and access credentials (e.g., a secret/password public key infrastructure (PKI) verification, etc.) received in the application quality of service (QoS) termination message against application profile data maintained in a local application information database 220.

As depicted in step 37, once application quality of service (QoS) termination message validation is complete, the quality of service (QoS) server 100 sends a diameter session termination request (STR) message to the policy and charging rules function (PCRF) 104 on the over-the-top (OTT) application client device's 108 home mobile network operator (MNO), to indicate that service/signaling has been terminated.

In steps 38 and 39, the policy and charging rules function (PCRF) 104 responds to the quality of service (QoS) server 100 with a diameter session termination answer (STA) message, and the quality of service (QoS) server 100 subsequently sends an application quality of service (QoS) response message (including an appropriate status value) to the requesting over-the-top (OTT) application server 110.

Similarly, the virtual private network (VPN) client 118 and/or server 112 sends an IPSec tunnel mapping table, containing appropriate tunnel termination information (tunneling information depicted in Table 1) to the quality of service (QoS) server 100, once the virtual private network (VPN) tunnel 114 is terminated.

In particular, as depicted in steps 40 a, 40 b, and 40 c, the virtual private network (VPN) client 118/server 112 sends a VPN quality of service (QoS) termination message with appropriate tunneling information (tunneling information depicted in Table 1) to the quality of service (QoS) server 100 when the virtual private network (VPN) tunnel 114 is terminated. The virtual private network (VPN) client 118 sends a VPN quality of service (QoS) termination message to the quality of service (QoS) server 100 via a conventional Gi/SGi interface 310.

In accordance with the principles of the present invention, a VPN quality of service (QoS) termination message preferably includes access credentials and a tunnel source and destination IP address, to enable the quality of service (QoS) server to identify which tunnel is being terminated and to determine if a pending quality of service (QoS) configuration in the wireless network need be removed as a result of the tunnel termination. A quality of service (QoS) termination message is typically preceded by a session termination. However, this may not always be the case.

In step 41, the quality of service (QoS) server 100 receives the VPN quality of service (QoS) termination message and appropriately responds to the virtual private network (VPN) client 118/server 112 with a VPN quality of service (QoS) response message.

Many commercial wireless networks provide quality of service (QoS) to their clients. The inventive solution is described herein via use of a specific long term evolution (LTE) network provider. However, the present invention may be applied to any wireless network that supports quality of service (QoS) treatment, including: a universal mobile telecommunications system (UMTS), long term evolution (LTE) technology, an evolved-universal mobile telecommunications system (E-UMTS), long term evolution (LTE) technology advanced, and Wi-Fi.

Inventive quality of service (QoS) logic may and should be extended to support other scenarios, such as scenarios described as “Application Function” logic in 3GPP series 29 specifications.

Use of this inventive technology causes certain packets associated with a virtual private network (VPN) connection to be identified via their security parameter index (SPI) value. Identification of this nature may reveal an associative characteristic of some virtual private network (VPN) packets. Implementers of the inventive technology may wish to determine if additional security, additional encryption, etc., is required to compensate for the reveal of the associative nature of packets.

The present invention has particular applicability to United States federal agencies, such as the Federal Emergency Management Agency (FEMA), and the Department of Homeland Security (DHS), etc., as well as to emergency first responders, large over-the-top (OTT) application providers (e.g., Google™, Apple™, etc.), and enhanced long term evolution (LTE) policy and charging rules function(s) (PCRF), from policy and charging rules function (PCRF) vendors.

While the invention has been described with reference to the exemplary embodiments thereof, those skilled in the art will be able to make various modifications to the described embodiments of the invention without departing from the true spirit and scope of the invention. 

1-49. (canceled)
 50. A method for extending quality of service (QoS) treatment to an over-the-top (OTT) application transmitting data over a network, comprising: receiving a quality of service (QoS) registration message and a quality of service (QoS) request message; performing validation on said quality of service (QoS) registration message and on said quality of service (QoS) request message; querying a local mobile network operator (MNO) information database for a home mobile network operator (MNO) assigned to a requesting client device; determining that an over-the-top (OTT) application routing data is permitted to influence quality of service (QoS) settings on said home mobile network operator (MNO); sending a message with appropriate quality of service (QoS) information to a policy and charging rules function (PCRF) on said home mobile network operator (MNO); and returning a quality of service (QoS) response message to said requesting client device with an appropriate status identifier.
 51. A quality of service (QoS) server for extending quality of service (QoS) treatment to an over-the-top (OTT) application transmitting data over a network, comprising: an over-the-top (OTT) application interface for interfacing with an over-the-top (OTT) application server; a mobile network operator (MNO) policy and charging rules function (PCRF) interface for interfacing with a policy and charging rules function (PCRF) on a home mobile network operator (MNO) assigned to an over-the-top (OTT) application client device; a number portability database (NPDB) interface for interfacing with an external number portability database (NPDB); a network server interface for interfacing with a network server at either end of a virtual private network (VPN) tunnel routing data from said over-the-top (OTT) application server; a local virtual private network (VPN) tunneling information database to store information for said virtual private networks (VPN); and a local application information database to store a profile for a supported over-the-top (OTT) application on said over-the-top (OTT) application server.
 52. A method for extending quality of service (QoS) treatment to an over-the-top (OTT) application server, comprising: receiving a quality of service (QoS) registration message from an over-the-top (OTT) application server; receiving a quality of service (QoS) request message from said over-the-top (OTT) application server; performing validation on both said quality of service (QoS) registration message and said quality of service (QoS) request message; determining that said over-the-top (OTT) application is permitted to influence quality of service (QoS) settings on a home mobile network operator (MNO); sending a message with appropriate quality of service (QoS) information to a policy and charging rules function (PCRF) on said home mobile network operator (MNO), said policy and charging rules function (PCRF) providing quality of service (QoS) treatment to said over-the-top (OTT) application; and returning an application quality of service (QoS) response message to said over-the-top (OTT) application server.
 53. The method for extending quality of service (QoS) treatment to an over-the-top (OTT) application server according to claim 52, wherein: said application quality of service (QoS) response message is returned to said over-the-top (OTT) application server with an appropriate status identifier.
 54. The method for extending quality of service (QoS) treatment to an over-the-top (OTT) application server according to claim 52, further comprising: querying a local mobile network operator (MNO) information database for an identity of said home mobile network operator (MNO) assigned to an over-the-top (OTT) application client device;
 55. The method for extending quality of service (QoS) treatment to an over-the-top (OTT) application according to claim 52, wherein: first quality of service (Qos) rules embedded in said quality of service (QoS) request message override second quality of service (QoS) rules embedded in said quality of service (QoS) registration message when said first quality of service (Qos) rules differ from said second quality of service (QoS) rules.
 56. The method for extending quality of service (QoS) treatment to an over-the-top (OTT) application according to claim 52, wherein: said message sent to said policy and charging rules (PCRF) function assigns quality of service (QoS) rules defined in said application quality of service (QoS) request message to application data routed for said requesting over-the-top (OTT) application when said over-the-top (OTT) application is routing data over a multi-tenant virtual private network (VPN) tunnel.
 57. The method for extending quality of service (QoS) treatment to an over-the-top (OTT) application according to claim 52, wherein: said quality of service information is sent to said policy and charging rules function (PCRF) via a diameter protocol interface.
 58. The method for extending quality of service (QoS) treatment to an over-the-top (OTT) application according to claim 54, wherein: said policy and charging rules function (PCRF) on said home mobile network operator (MNO) forwards received quality of service (QoS) rules to a policy and charging rules function (PCRF) serving said over-the-top (OTT) application client device when said (OTT) application client device is roaming.
 59. The method for extending quality of service (QoS) treatment to an over-the-top (OTT) application according to claim 52, wherein: said quality of service (QoS) request message indicates a particular quality of service (QoS) profile to invoke.
 60. The method for extending quality of service (QoS) treatment to an over-the-top (OTT) application according to claim 52, wherein: said over-the-top (OTT) application server sends an application quality of service (QoS) termination message to said quality of service (QoS) server when said over-the-top (OTT) application server detects a termination of service on said over-the-top (OTT) application client.
 61. The method for extending quality of service (QoS) treatment to an over-the-top (OTT) application according to claim 52, wherein: said over-the-top (OTT) application server sends an application quality of service (QoS) termination message to said quality of service (QoS) server when said over-the-top (OTT) application server detects signaling on said over-the-top (OTT) application client.
 62. The method for extending quality of service (QoS) treatment to an over-the-top (OTT) application according to claim 61, wherein: said application quality of service (QoS) termination message indicates to said quality of service (QoS) server that reserved quality of service (QoS) values may be terminated on said home mobile network operator (MNO) assigned to said over-the-top (OTT) application client device. 